CER | Board Training

Our Briefings for the Board:

We offer custom briefings for the Board of Directors and executive management, tailored to the specific needs of each legal entity. Our briefings can be short and comprehensive, or longer, depending on the needs, the content of the program and the case studies.

Alternatively, you may choose one of our existing briefings:

1. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of EU legal entities.

2. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of non-EU legal entities.

You can find all information below.

Delivery format of the training program

a. In-House Instructor-Led Training. This format is specifically designed and customized for individuals within a particular company or organization, including board members, executive management, risk managers, and employees. An instructor from Cyber Risk GmbH, approved by the client, will travel to the client’s chosen location to deliver the training. The content and delivery are tailored to meet the specific needs of the client, as outlined in the contract.

b. Online Live Training. This real-time, synchronous training takes place in a live virtual meeting room via platforms such as Zoom, Webex, or Microsoft Teams. Instructors from Cyber Risk GmbH, approved by the client, customize the delivery method (e.g., interactive or non-interactive) to suit the client’s needs. The instructor leads the session and addresses questions based on the client’s specific requirements and the terms of the contract.

c. Video-Recorded Training. This professional, pre-recorded training format is tailored to the client’s needs and contract specifications. Instructors from Cyber Risk GmbH, approved by the client, record the content in a professional studio. The pre-recorded material, including future updates, is licensed to the client for internal training purposes. Clients can integrate the videos into their internal learning management systems. Available programs include Orientation Video Training and Compliance Video Training.

1. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of EU legal entities.

Course Synopsis, possible modules

The European Union (EU) - key institutions, the EU legislative process, the roles.
- The European System of Financial Supervision.
- The major changes after the Lisbon Treaty.
- Delegated acts - supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service, Common Foreign and Security Policy (CFSP), Common Security and Defence Policy (CSDP), European Cyber Defence Policy Framework (CDPF).

The Critical Entities Resilience Directive (CER), important Articles.
- Subject matter, scope, definitions.
- Strategy on the resilience of critical entities.
- Risk assessment by Member States.
- Identification of critical entities.
- Significant disruptive effect.
- Critical entities in the banking, financial market infrastructure and digital infrastructure sectors.
- Member States’ support to critical entities.
- Risk assessment by critical entities.
- Resilience measures of critical entities.
- Background checks.
- Incident notification.
- Identification of critical entities of particular European significance.
- Supervision and enforcement.
- Transposition.

Understanding the CER Directive.
- NIS 2 and the resilience of critical entities.
- Sector-specific Union legal acts and the resilience of critical entities.
- National security, defence, and the resilience of critical entities.
- Entities that are jointly established.
- Employees / contractors of critical entities.
- Requests for background checks.
- So many deadlines … Mark your calendar.
- Important national options and discretions.

Other new EU Directives and Regulations.
- The NIS 2 Directive.
- The Digital Operational Resilience Act (DORA).
- The Artificial Intelligence Act.
- The European Data Act.
- The European Data Governance Act (DGA).
- The European Cyber Resilience Act (CRA).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Chips Act.
- The Artificial Intelligence Liability Directive.
- The Framework for Artificial Intelligence Cybersecurity Practices (FAICP).
- The EU Cyber Solidarity Act.
- The Digital Networks Act (DNA).
- The European ePrivacy Regulation.
- The European Digital Identity Regulation.
- The European Media Freedom Act (EMFA).
- The Corporate Sustainability Due Diligence Directive (CSDDD).
- The Systemic Cyber Incident Coordination Framework (EU-SCICF).
- The European Health Data Space (EHDS).
- The European Financial Data Space (EFDS).
- The Financial Data Access (FiDA) Regulation.
- The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR).
- Internal Market Emergency and Resilience Act (IMERA).
- The European Space Law (EUSL).

Instructor

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

2. The Critical Entities Resilience Directive (CER) for the Board of Directors and executive management of non-EU legal entities.

Overview.

The terms ‘extraterritoriality’ and ‘extraterritorial jurisdiction’ refer to the competence of a country to extend its legal powers beyond its territorial boundaries, and to make, apply and enforce rules of conduct in respect of persons, property or events beyond its territory.

The Sarbanes-Oxley Act of 2002, for example, applies to foreign auditors and foreign companies whose securities are listed in a US stock exchange.

Extraterritorial application of EU law is the application of EU provisions outside the territory of the EU, resulting from EU unilateral legislative and regulatory action.

For example, according to EU’s General Data Protection Regulation (GDPR), non-EU data controllers and processors in any country, must comply with the GDPR obligations, if they offer goods or services to individuals in the EU.

Anu Bradford, Professor of Law in Columbia Law School, is the author of the book “The Brussels Effect: How the European Union Rules the World” (2020), that was named one of the best books of 2020 by Foreign Affairs.

In 2012, she introduced the concept of the ‘Brussels Effect’, that describes Europe’s unilateral power to regulate global markets.

Anu Bradford explains why most global corporations choose to adopt the European laws, regulations and standards in the design and operation of their products and services.

The EU standards are generally stricter, and in most cases, when you comply with EU rules, you comply with laws and regulations around the world.

Even when this approach is more costly, global corporations prefer to have an enterprise-wide, single mode of production and operations, and to market their goods and services globally.

Following the doctrine "you comply with EU rules, you comply around the world", global corporations and service providers need professionals that understand the EU laws, regulations, standards and guidelines.

When the European Commission determines that the regulatory or supervisory regime of a non-EU country is equivalent to the corresponding EU framework:

- allows authorities in the EU to rely on supervised entities' compliance with equivalent rules in a non-EU country,

- reduces or eliminates overlaps in compliance requirements for both EU and non-EU entities,

- makes services and products of non-EU companies accepted in the EU,

- allows third-country firms to provide services without establishment in the EU single-market.

We will discuss what happens when the European Commission determines that the regulatory or supervisory regime of a non-EU country is not equivalent to the corresponding EU framework, or when the European Commission has not yet determined if the regulatory or supervisory regime of a non-EU country is equivalent.

We can understand better equivalence decisions from the experience we have with the Accounting Directive, the Audit Directive, the Capital Requirements Regulation (CRR), the Credit Rating Agencies Regulation, the European Market Infrastructure Regulation (EMIR), the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II), the Markets in Financial Instruments Regulation (MiFIR), the Prospectus Directive, the Solvency II Directive and the Transparency Directive.

After this presentation, the Board and executive management will have a clear understanding or what is mandatory and what is "nice to have", and the consequences of non-compliance.

Course Synopsis

Introduction
- What is extraterritoriality?
- Extraterritorial application of EU law.
- Risk and compliance management challenges for firms established in non-EU countries.
- Are you sure we must comply with the Critical Entities Resilience Directive (CER)? Where can we find this information?

The Critical Entities Resilience Directive (CER) and Its Extraterritorial Impact.
- Breakdown of the Critical Entities Resilience Directive’s objectives, scope, and provisions.
- Analysis of the directive’s extraterritorial application to non-EU entities that offer services to the EU or engage in cross-border activities.
- Key compliance obligations and risk management requirements for non-EU organizations.

Assessing the Risk Exposure of Non-EU Entities.
- Identifying sectors and services that fall within the scope of CER.
- How to evaluate your organization's exposure to CER obligations based on business operations in the EU.

Roles and Responsibilities of the Board and Executive Management.
- Clarifying the roles of the Board and executive management in overseeing compliance with CER.
- Understanding the accountability and governance obligations of non-EU entities subject to the directive.
- Potential legal, financial, and reputational risks associated with non-compliance.

Cybersecurity Risk Management for Cross-Border Entities.
- Strategies for implementing effective risk management frameworks in alignment with CER requirements.
- Cross-border incident management and reporting obligations, particularly in relation to EU cybersecurity authorities and regulators.
- Enhancing resilience in international operations by adopting EU-compliant cybersecurity practices.

Cross-Border Cooperation and Reporting.
- Guidance on working with EU regulators, national cybersecurity bodies, and stakeholders in managing incidents.
- Navigating the complexities of cross-border cooperation and information-sharing.
- Understanding the legal framework for reporting cyber incidents to EU authorities and how it applies to non-EU entities.

Instructor.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

Understanding the Critical Entities Resilience Directive (CER)

While certain sectors of the EU economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors.

In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the EU in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector.

According to Article 1 (Subject matter and scope), the Critical Entities Resilience Directive (CER):

(a) lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;

(b) lays down obligations for critical entities aimed at enhancing their resilience and ability to provide services in the internal market;

(c) establishes rules:
(i) on the supervision of critical entities;
(ii) on enforcement;
(iii) for the identification of critical entities of particular European significance and on advisory missions to assess the measures that such entities have put in place to meet their obligations under Chapter III;

(d) establishes common procedures for cooperation and reporting on the application of this Directive;

(e) lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.

Who must comply with the Critical Entities Resilience Directive (CER)?

According to Article 2 (Definitions) of the Critical Entities Resilience Directive (CER), ‘critical entity’ means a public or private entity which has been identified by a Member State as belonging to one of the categories:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.

2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.

3. Banking.
— Credit institutions.

4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).

5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).

6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.

7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.

8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.

9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.

10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.

11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.

Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the Directive or not.

CER | Board Training

Cyber Risk GmbH, some of our clients